Re: How to configure SSL-Proxy Session-Resumption?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05.12.2010 01:30, Qingshan Xie wrote:
Hello!

   We have a Reverse Proxy server, which initiates SSL connection to the backend
server, functioning as a SSL client.  In order to enable Session-Resumption,
should we configure SSLSessionCache and SSLSessionCacheTimeout?

AFAIR the reverse proxy does not implement session resumption for SSL backends. It neither uses its own SSL session cache nor the caching facilities provided by OpenSSL itself. It only uses its own SSL session caching when acting as an SSL server, not when acting as an SSL client.

It is not as bad as it sounds: the proxy - if configured correctly - uses HTTP Keep-Alive connections to the SSL backend and dispatches all incoming requests to a pool of backend connections. So when load increases you typically need much less backend connections and thus SSL handshakes than you would need for direct client communications.

I did a little experiment a few months ago, so there is a patch for Apache 2.2.x at http://people.apache.org/~rjung/patches/apache-2_2-revproxy_ssl_client_session.patch which uses Apache's internal session cache also for the SSL client in the reverse proxy. The patch is experimental. As far as I remember it did work, but there are some debug statements in it etc. It was developed using 2.2.15, but it does apply cleanly to the head of 2.2. When experimenting with the patch it will use the settings provided by SSLSessionCache and SSLSessionCacheTimeout.

Regards,

Rainer

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux